By: Julian Mark
February 14, 2020
Understanding North Korea's Advanced Persistent Threat (APT) Group 37
By: Julian Mark
February 14, 2020
One popular misconception in cybersecurity is what an advanced persistent threat (APT) is. An APT is a type of attack and not a threat actor (Lord, 2018). This attack is classified when an unauthorized user exploits a system and remains in that system undetected for a extensive period of time. APT threat actors do generally do not want to damage the systems because they want to attempt to access these systems and stay under the radar. The goal of an APT is usually data theft, however, APT 37’s goal wasn’t that simple.
Advanced Persistence Threat 37
It is based in North Korea and was discovered by FireEye after exploiting a series of South Korean computer systems using an Adobe Flash zero-day vulnerability in order to gain intelligence. APT 37 otherwise known as Reaper, is a cyberespionage group headquartered out of North Korea. Operating under direction of the North Korean government, they provide the nation-state with its own cyber group to be used for political and global gain. Its widely believed that this cyber group started in 2012 and focuses its efforts on South Korean private and public companies. Although South Korea is its primary target, this cyber group expanded its efforts to Japan, the Middle East, and Vietnam. Previously they primarily targeted intelligence from South Korea’s military and their government, however, they have expanded their intelligence-gathering efforts to other industries to include technology, finance, education and healthcare (FireEye, 2018). In order to gather this information, they have used a wide array of tactics and techniques to gain access.
Tactics Used to Gain Access
From sending spearfishing letters to compromising websites, APT 37 used various means to distribute their malware. In 2017, APT 37 used a spearfishing letter to a board member, also known as whaling, of a middle eastern finance company. This letter contained a Microsoft Office exploit in its attachment the called home to a malicious website which then installed a backdoor called SHUTTERSPEED (FireEye, 2018). The backdoor tool allowed APT 37 to gain access to the victim’s computer enabling them to take screenshots of the computer, moreover, it allowed then to install more malicious applications unmolested. The patch for the exploited Microsoft product was available the month prior. Aside from spearfishing, APT 37 used other methods to deliver its malware like file sharing sites, these malwares include KARAE and POORAIM. APT 37 also exploits Korean reunification organizations, taking advantage of these organizations willingness to cooperate. APT 37 frequently exploits Hangul Word Processor (HWP) because it is widely used in the Koreas. Another popular attack vector and tactic used by the cyber group is exploiting applications like Flash, they wait for vulnerabilities to be publicized and exploit systems that haven’t been patched.
Most of these exploits are tied to a command and control (C2) systems, avoiding detection by using call home messages through multiple cloud providers called DOGCALL which uses cloud storage APIs. In the past, APT 37 used a backdoor exploit called POORAIM which took advantage of AOL’s Instant messenger for C2. APT 37 is known for the suite of malware it uses for initial intrusion and exfiltration. Please see figure (2) to see the malware associated with the cyber group. Although APT 37 mostly uses its malware for extraction of data they do also have destructive malware capabilities, for example, in April 2017 APT 37 used the backdoor DOGCALL to infiltrate South Korean government and military systems in conjunction with a data wiper called RUHAPPY that overwrite the victim system’s Master Boot Record, which caused a loss in the main partition of the drive resulting in data loss. In FireEye’s special report, they believe APT 37 has a large Botnet in the waits, ready to cause a Distributed Denial of Service attack (2018).
APT 37 acts on the North Koreans behalf and has interests in anything that will keep the regime in power. Therefore, their target profile is aimed toward entities that threaten the regime like the South Korean government, North Korean defectors and organizations that support the reunification of the Korean peninsula.
Outcome and Conclusion of the APT
In conclusion, APT 37 is primarily used by the nation-state of North Korean. This cyber-espionage group needs to be taken seriously. Being Primary based in North Korea they do not have any fear of prosecution and will continue to operate as such.
Explore Advanced Cybersecurity Training For Your Team:
FireEye. (2018). APT37 (REAPER) The Overlooked North Korean Actor. FireEye Special Report. Retrieved from https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf
Lord, N. (2018). What is an Advanced Persistent Threat? APT Definition. DataInsider. Retrieved from https://digitalguardian.com/blog/what-advanced-persistent-threat-apt-definition